The information security program of the Corporation for National and Community Service, now called AmeriCorps, remains Not Effective and has shown little progress over the past four years. While AmeriCorps has demonstrated some improvement on configuration management, key areas of organization-wide risk management strategy, standard baseline configurations, Personal Identity Verification (PIV) multifactor authentication, and vulnerability and patch management have remained stagnant at a low level of maturity. AmeriCorps continues to suffer a significant number of critical and high-risk vulnerabilities, which were not mitigated within the prescribed deadlines commensurate with their importance. Nor has AmeriCorps made significant progress in closing prior recommendations. Since last year, only eleven of the 58 open recommendations from the FY 2014 – FY 2019 FISMA evaluations have been resolved, yielding limited improvements in FISMA metric results.
An inability to address critical deficiencies leaves AmeriCorps systems and data vulnerable to data breaches, which may expose sensitive information, including Personally Identifiable Information, to unauthorized access, use and disclosure. Our report offers nine recommendations (eight new and one modified repeat), which, together with the prior year recommendations, will assist AmeriCorps in addressing challenges in the development of a mature and effective information security program. AmeriCorps has committed to implementing corrective actions to our recommendations.